PGP Creator Defends Hushmail

Phil Zimmermann, the coder who created the Pretty Good Privacy (PGP) email encryption scheme in 1991, defended encrypted online webmail company Hushmail’s turning over of the unscrambled emails to the government when given a court order, arguing it is not reasonable to expect that online encrypted email storage is as safe as using encryption software on one’s own computer.

Zimmermann, who sits on Hushmail’s advisory board, spoke to THREAT LEVEL after we published a piece contrasting the site’s promises that it had no access to the contents of customers’ encrypted emails stored on their servers with a court case showing that the Canadian company turned over 12 CDs of readable emails to U.S. authorities.

Zimmermann is also the brains behind Zfone, software that works with VOIP services to make encrypted online phone calls possible.

“If your threat model includes the government coming in with all of force of the government and compelling service provider to do things it wants them to do, then there are ways to obtain the plaintext of an email ,” Zimmermann said in a phone interview. “Just because encryption is involved, that doesn’t give you a talisman against a prosecutor. They can compel a service provider to cooperate.”

Hushmail offers two ways to use its encrypted email service — both of which Hushmail now indicates can be eavesdropped on following a court order.

One, the now default, does the encryption work on Hushmail’s server and works largely like regular webmail. The second, original method uses a Java applet that runs in the user’s browser that takes care of the decryption and encryption of messages on his computer, after the user types in the right passphrase. In this case, messages reach Hushmail’s server already encrypted. The Java code also decrypts the message on the recipient’s computer, so an unencrypted copy never crosses the internet or hits Hushmails servers.

The simple webmail version exposes a user’s passkey to Hushmail briefly, explaining how the company is able to comply with legal orders served on the company for users that choose that option.

Though Zimmermann knows nothing of the DEA case or how Hushmail decrypts emails in response to court orders, he said there are technical ways Hushmail could unscramble a customer’s accounts, no matter which way they use Hushmail.

“You could have a different, modified Java applet delivered to the user, for example,” Zimmermann said.

But there are counter-measures a user could take to prevent being served a rogue Java applet, Zimmermann said.

“You could keep a digital signature of it or a cyrptographic strong hash and compare it each time, or you could keep your own copy and hopefully the copy you got before was the proper one,” Zimmermann said.

But, Zimmermann stressed, the company only undoes encryption when given a Canadian court order and is not turning over customer records wholesale to government agencies.

“It would be suicidal for their business model if they did that,” Zimmermann said. “Their hearts are in the right place but there are certain kinds of attacks that are beyond the scope of their abilities to thwart. They are not a sovereign state.”

Last week, THREAT LEVEL reported that Hushmail’s architecture does let the company unscramble user’s accounts and may be able to do so even with the version that requires users to use a hefty Java applet in their browsers to do the encrypting and decrypting.

Hushmail, a longtime provider of encrypted web-based email, markets itself by saying that “not even a Hushmail employee with access to our servers can read your encrypted e-mail, since each message is uniquely encoded before it leaves your computer.”

But it turns out that statement seems not to apply to individuals targeted by government agencies that are able to convince a Canadian court to serve a court order on the company.

A September court document (.pdf) from a federal prosecution of alleged steroid dealers reveals the Canadian company turned over 12 CDs worth of e-mails from three Hushmail accounts, following a court order obtained through a mutual assistance treaty between the U.S. and Canada.

Zimmermann says it would be a shame to damn Hushmail for this compliance, since it remains a useful tool against many other attacks, including protecting individuals from oppressive foreign governments who will have a tough time convincing a Canadian court to issue a search warrant on its behalf.

“If you are in a hotel room in Khazakstan or Russia and want to check your mail and you have a laptop, you could be running the Java applet or even running it through SSL,” Zimmermann said. “The behavior of the Hushmail servers is not going to be influenced by the local government where you are sitting in the hotel.”